On Tue, Dec 13, 2016 at 12:00 PM Lennart Poettering
> Well, some of them are pretty drastic. For example, I think it would
make a ton of sense to run all daemons where that's possible with
ProtectSystem=strict. This would make the entire directory tree
read-only for them (with the exception of API VFS, i.e. /proc, /sys,
/dev), and then requires ReadWritePaths= to be used to whitelist the
select few paths the service shall be able to write to.
If we'd globally say that all services now run with
ProtectSystem=strict by default, then we'd break pretty much all
services that want to write something anywhere, until they get updated
with the right ReadWritePaths= statements... And I have the suspicion
that this kind of churn would upset quite a few people... I mean, I am
all for breaking eggs to make an omelette, but not maybe not break all
eggs in the egg carton at once ;-)
I am not sure anyone is suggesting breaking things. There is a pretty incremental approach to this which starts off with encouraging services to whitelist things they need and when enough services do that, toggle the equivalent sandboxing feature by default and increase coverage over time. If it requires every service to understand all the sandboxing features and enable it manually, we aren't getting security features by default and we really should.
Rahul